PR feedback

Author: hgeraldino

src/main/java/com/rabbitmq/client/PemReader.java

@@ -21,10 +21,12 @@
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEKeySpec;
 import java.io.ByteArrayInputStream;
-import java.io.File;
 import java.io.IOException;
-import java.nio.file.Files;
-import java.security.*;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
@@ -57,26 +59,47 @@ public final class PemReader {
 
     private static final Pattern CERT_PATTERN = Pattern.compile(
         "-+BEGIN\\s+.*CERTIFICATE[^-]*-+\\s*"  // Header
-            + "([a-z0-9+/=\\r\\n]+)"           // Base64 text
+            + "([a-z0-9+/=\\s]+)"           // Base64 text
             + "-+END\\s+.*CERTIFICATE[^-]*-+", // Footer
         CASE_INSENSITIVE);
 
     private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile(
         "-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+\\s*"  // Header
-            + "([a-z0-9+/=\\r\\n]+)"              // Base64 text
+            + "([a-z0-9+/=\\s]+)"              // Base64 text
             + "-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", // Footer
         CASE_INSENSITIVE);
 
     private PemReader() {
     }
 
-    public static KeyStore loadKeyStore(String certificateChainFile, String privateKeyFile, Optional<String> keyPassword) throws IOException, GeneralSecurityException {
-        PrivateKey key = loadPrivateKey(privateKeyFile, keyPassword);
-
-        List<X509Certificate> certificateChain = readCertificateChain(certificateChainFile);
+    /**
+     * Loads a KeyStore from PEM file contents.
+     * <p>
+     * This method reads a private key and certificate chain from PEM-formatted content
+     * and stores them in a JKS KeyStore. The certificate file must contain at least one
+     * certificate.
+     *
+     * @param certificateChainContents the PEM-formatted content containing the certificate chain
+     * @param privateKeyContents the PEM-formatted content containing the private key
+     * @param keyPassword optional password for the private key; if the key is encrypted, this password
+     *                    will be used to decrypt it
+     * @return a KeyStore containing the private key and certificate chain
+     * @throws IOException if an I/O error occurs while reading the PEM content
+     * @throws GeneralSecurityException if a security-related error occurs, such as:
+     *         <ul>
+     *         <li>the private key cannot be loaded</li>
+     *         <li>the certificate chain is empty</li>
+     *         <li>the KeyStore cannot be initialized</li>
+     *         </ul>
+     * @throws CertificateException if the certificate file does not contain any certificates
+     */
+    public static KeyStore loadKeyStore(String certificateChainContents, String privateKeyContents, Optional<String> keyPassword) throws IOException, GeneralSecurityException {
+        PrivateKey key = loadPrivateKey(privateKeyContents, keyPassword);
+
+        List<X509Certificate> certificateChain = readCertificateChain(certificateChainContents);
         if (certificateChain.isEmpty()) {
             throw new CertificateException("Certificate file does not contain any certificates: "
-                                           + certificateChainFile);
+                                           + certificateChainContents);
         }
 
         KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -88,8 +111,20 @@ public static KeyStore loadKeyStore(String certificateChainFile, String privateK
         return keyStore;
     }
 
-    public static List<X509Certificate> readCertificateChain(String certificateChain) throws CertificateException {
-        Matcher matcher = CERT_PATTERN.matcher(certificateChain);
+    /**
+     * Reads a chain of X.509 certificates from PEM-formatted content.
+     * <p>
+     * This method extracts all certificates found in the provided PEM content. Certificates
+     * are identified by BEGIN CERTIFICATE and END CERTIFICATE markers. The certificates are
+     * returned in the order they appear in the input.
+     *
+     * @param certificateChainContents the PEM-formatted content containing one or more certificates
+     * @return a list of X.509 certificates extracted from the PEM content; may be empty if no
+     *         certificates are found
+     * @throws CertificateException if any certificate cannot be parsed or generated
+     */
+    public static List<X509Certificate> readCertificateChain(String certificateChainContents) throws CertificateException {
+        Matcher matcher = CERT_PATTERN.matcher(certificateChainContents);
         CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
         List<X509Certificate> certificates = new ArrayList<>();
 
@@ -103,6 +138,28 @@ public static List<X509Certificate> readCertificateChain(String certificateChain
         return certificates;
     }
 
+    /**
+     * Loads a private key from PEM-formatted content.
+     * <p>
+     * This method supports both encrypted and unencrypted private keys. The key must be in
+     * PKCS#8 format. To convert a key to PKCS#8 format, use:
+     * {@code openssl pkcs8 -topk8 ...}
+     * <p>
+     * The method attempts to load the key using RSA, EC, and DSA algorithms in that order.
+     *
+     * @param privateKey the PEM-formatted content containing the private key
+     * @param keyPassword optional password for decrypting an encrypted private key; if empty,
+     *                    the key is assumed to be unencrypted
+     * @return the loaded private key
+     * @throws IOException if an I/O error occurs while reading the key
+     * @throws GeneralSecurityException if a security-related error occurs, such as:
+     *         <ul>
+     *           <li>no private key is found in the content</li>
+     *           <li>the key format is invalid</li>
+     *           <li>the key cannot be decrypted with the provided password</li>
+     *          <li>the key algorithm is not supported (RSA, EC, or DSA)</li>
+     *         </ul>
+     */
     public static PrivateKey loadPrivateKey(String privateKey, Optional<String> keyPassword) throws IOException, GeneralSecurityException {
         Matcher matcher = PRIVATE_KEY_PATTERN.matcher(privateKey);
         if (!matcher.find()) {
@@ -126,20 +183,28 @@ public static PrivateKey loadPrivateKey(String privateKey, Optional<String> keyP
 
         // this code requires a key in PKCS8 format which is not the default openssl format
         // to convert to the PKCS8 format you use : openssl pkcs8 -topk8 ...
+        List<String> attemptedAlgorithms = new ArrayList<>();
         try {
             KeyFactory keyFactory = KeyFactory.getInstance("RSA");
             return keyFactory.generatePrivate(encodedKeySpec);
-        } catch (InvalidKeySpecException ignore) {
+        } catch (InvalidKeySpecException e) {
+            attemptedAlgorithms.add("RSA: " + e.getMessage());
         }
 
         try {
             KeyFactory keyFactory = KeyFactory.getInstance("EC");
             return keyFactory.generatePrivate(encodedKeySpec);
-        } catch (InvalidKeySpecException ignore) {
+        } catch (InvalidKeySpecException e) {
+            attemptedAlgorithms.add("RSA: " + e.getMessage());
         }
 
-        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
-        return keyFactory.generatePrivate(encodedKeySpec);
+        try {
+            return KeyFactory.getInstance("DSA").generatePrivate(encodedKeySpec);
+        } catch (InvalidKeySpecException e) {
+            attemptedAlgorithms.add("DSA: " + e.getMessage());
+            throw new KeyStoreException(
+                    "Failed to load private key with any supported algorithm. Attempts: " + attemptedAlgorithms, e);
+        }
     }
 
     private static byte[] base64Decode(String base64) {

src/test/java/com/rabbitmq/client/test/ssl/TlsTestUtils.java

@@ -17,28 +17,35 @@
 package com.rabbitmq.client.test.ssl;
 
 import com.rabbitmq.client.ConnectionFactory;
+import com.rabbitmq.client.PemReader;
 import com.rabbitmq.client.test.TestUtils;
 import com.rabbitmq.tools.Host;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.IdentityCipherSuiteFilter;
 import io.netty.handler.ssl.JdkSslContext;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
-import java.io.FileInputStream;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
+
+import static java.nio.charset.StandardCharsets.US_ASCII;
 
 class TlsTestUtils {
 
@@ -147,11 +154,55 @@ static String clientCertificateFile() {
             "./rabbitmq-configuration/tls/client_" + hostname() + "_certificate.pem"));
   }
 
-  static X509Certificate loadCertificate(String file) throws Exception {
-    try (FileInputStream inputStream = new FileInputStream(file)) {
-      CertificateFactory fact = CertificateFactory.getInstance("X.509");
-      return (X509Certificate) fact.generateCertificate(inputStream);
+  static X509Certificate loadCertificate(String file) throws Exception
+  {
+    List<X509Certificate> certs = loadCertificateChain(file);
+    if (certs.isEmpty()) {
+      throw new CertificateException("No certificates found in file: " + file);
+    }
+    return certs.get(0);
     }
+
+  /**
+   * Load certificate chain from PEM file.
+   * Supports files with multiple concatenated certificates and mixed content (cert + key).
+   *
+   * @param file Path to PEM file
+   * @return List of certificates found in the file
+   */
+  static List<X509Certificate> loadCertificateChain(String file) throws Exception
+  {
+    String pemContent = new String(Files.readAllBytes(Paths.get(file)), US_ASCII);
+    return PemReader.readCertificateChain(pemContent);
+  }
+
+  /**
+   * Load KeyStore from combined PEM file containing both certificate(s) and private key.
+   *
+   * @param file Path to PEM file containing certificate chain and private key
+   * @param keyPassword Password for encrypted private key (null if unencrypted)
+   * @return KeyStore containing the certificate chain and private key
+   */
+  static KeyStore loadKeyStoreFromPem(String file, String keyPassword) throws Exception
+  {
+    String pemContent = new String(Files.readAllBytes(Paths.get(file)), US_ASCII);
+    return PemReader.loadKeyStore(pemContent, pemContent, Optional.ofNullable(keyPassword));
+  }
+
+  /**
+   * Load KeyStore from separate certificate and private key PEM files.
+   *
+   * @param certFile Path to PEM file containing certificate chain
+   * @param keyFile Path to PEM file containing private key
+   * @param keyPassword Password for encrypted private key (null if unencrypted)
+   * @return KeyStore containing the certificate chain and private key
+   */
+  static KeyStore loadKeyStoreFromPem(String certFile, String keyFile, String keyPassword)
+      throws Exception
+  {
+    String certContent = new String(Files.readAllBytes(Paths.get(certFile)), US_ASCII);
+    String keyContent = new String(Files.readAllBytes(Paths.get(keyFile)), US_ASCII);
+    return PemReader.loadKeyStore(certContent, keyContent, Optional.ofNullable(keyPassword));
   }
 
   private static String tlsArtefactPath(String in) {